Wednesday, January 28, 2015

CVE-2015-0235: Ghost

The last two days have been taken up with the glibc ghost vulnerability found by Qualys. They have a good description and a good detailed analysis.
Essentially this is the old "parsing untrusted input" problem -- a value comes in from a dubious source and the code needs to be robust against an attacker who can choose arbitrary malicious input.

Vulnerabilities like this are hard to classify. It's almost certainly exploitable by someone who has a local account on a box. But determining if it is remotely exploitable is difficult. This is what is called the "cone of uncertainty"; it takes time to do the research and find out if any code paths are directly vulnerable. Starting at the vulnerable gethostbyname() functions and working out is time consuming.
Many times this week I have wished for a rough equivalent to perl's taint checking -- let me flag a piece of memory as "tainted", and allow me follow it through the system to an arbitrary function call.

Since vulnerability classification is the first step in determining actions, use attack modeling techniques to determine exploit vectors. Enumerate all the ways untrusted input can make it through the system. For example, an attacker may be able to input an IP address into a field in a web app. In this case, an IP address text field could trigger the vulnerability.
Once all vectors are enumerated, determine if mitigations are in place. In the case of ghost, only 1024 or longer inputs may be vulnerable. When that work is done, there should be fewer code paths to analyze.

As Qualys proved, there are many possible attack vectors. If they cannot all be analyzed in a short amount of time, then prepare for the worst case.
Weigh the risks before deciding a plan of action. Often the fix for a new vulnerability is not immediately available and issuing an incomplete fix is worse than taking a few extra days to publish the correct fix.
In this particular scenario, the risk of patching glibc is relatively small -- the code has been patched since 2013 and there is a definitive test case that can be run easily. It is prudent to issue a patch as soon as possible.
Given the classifications published earlier, ghost would qualify as a severe vulnerability. Actions should be dictated by established policy.